Computer compromised or coincidental to hotmail account being hijacked & virus found?

Discussion in 'Malware Help (A Specialist Will Reply)' started by philber, Nov 30, 2010.

  1. philber

    philber Private E-2

    Hello and thanks in advance for your time and help :)


    A few weeks ago, my hotmail email account was hijacked and someone changed the password. I found this odd and did a full scan of my computer with AVG free and found nothing (I keep it updated regularly). Then I did a full scan with MalwareBytes and it found multiple things which surprised me as I try and scan every download with AVG before opening them. Anyway, I must have messed up as somehow I ended up with trojans and virus on my computer. I still have the Mbam report log from that scan that found problems.
    In the meantime, I switched to an older computer I had that I knew was not infected and forgot about my main computer as my priority was to try and recover my hotmail account as that had years of work on it. Thats now a lost cause and I am ready to go back to my main computer. But before I do that, I want to be sure that there are not any backdoor trojans, keyword loggers or anything else left on there as I have spent well over 100 hours dealing with new passwords, updating all related accounts yada, yada. I want to be sure that computer is safe before I begin using it again.

    What should I do to be 100% certain, or as best as possible, to be sure that machine is now safe to use? I re-scanned it with Mbam and it came up clean. I believe I also ran AVG on it again; Trendmicro and Panda software online scans as well. I tried to run Dr Web, but their website was crashing when I tried to download the latest version of it. I am not 100% sure what I have or have not actually run since I am brain fried from all the other stuff I have done trying to regain my email account.

    Lets assume I did nothing and start as if I am actually infected.

    Can someone please guide me through the steps to make sure my computer is free of malware, viruses, backdoors, keyword loggers and the like? I am not sure if the hacker got into my hotmail account by hacking my computer or if he hacked into hotmail itself, but the timing of it combined with the Mbam report of malware found, is suspicious enough to make me think that my computer may have been compromised and thats how he gained my password.


    Thanks for the help!

    Phil
     
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Re: Computer compromised or coincidental to hotmail account being hijacked & virus fo

    Welcome to Major Geeks!

    Please read ALL of this message including the notes before doing anything.

    Pleases follow the instructions in the below link:

    READ & RUN ME FIRST. Malware Removal Guide


    and attach the requested logs when you finish these instructions.

    • **** If something does not run, write down the info to explain to us later but keep on going. ****
    • Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.


    • After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!
    Helpful Notes:


    1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:

    2. If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware and Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
    3. If you cannot seem to login to an infected user account, try using a different user account (if you have one) in either normal or safe boot mode and running only SUPERAntiSpyware and Malwarebytes while logged into this aother user account. Then reboot and see if you can log into the problem user account. If you can then run SUPERAntiSpyware, Malwarebytes, ComboFix and MGtools on the infected account as requested in the instructions.
    4. To avoid additional delay in getting a response, it is strongly advised that after completing the READ & RUN ME you also read this sticky:

    Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated our system works the oldest threads FIRST.
     
  3. philber

    philber Private E-2

    Re: Computer compromised or coincidental to hotmail account being hijacked & virus fo

    Hi Tim

    Thanks for the help. After running SUPERANTISPYWARE, upon reboot, my computer had difficulty bringing up my desktop screen. It would show nothing and I would turn the monitor on and off. I would get a message of “monitor is working, but no signal, check input”. I unplugged and replugged the monitor cable about 4 times, switching between input 1 and 3 several times. (I have a quad capable monitor system and have split cable set up on each input cable). Nothing would show up on the monitor, even though that was the same plug in I had always used. I know it is not a problem with the monitor as I plugged in my other computer and used the same monitor and cables and the monitor worked fine.
    Eventually, I got it to show me a monitor, but windows would not reboot and show the desktop. I was given a message that windows did not restart properly and it gave me options of starting in safe mode etc. I chose safe mode with networking to see what it would do and it showed me my desktop. I then turned the computer off and rebooted several times. Again, no desktop showed, nor did it give me the option of choosing safe mode etc. I then unplugged the monitor cable and switched between channel 1 and into channel 3 (which is the one I always had used). This time the desktop showed up fine and I was able to get online and continue to the MBAM scan.

    I tried to run combofix, but forgot to disable AVG free 9.0, so it gave me a message it couldn’t run with AVG loaded. I then went to disable AVG and couldn’t find what to do from the interface, so I ran ccleaner to uninstall it. Rebooted, had a momentary problem with the monitor not showing the desktop again. Unplugged and re-plugged the cable and the desktop showed up.
    Double clicked combofix and it started to run. I saw the tiny box pop up in the middle of my desktop, the green bars increase along the bottom of the tiny box and a window for combofix show up in the taskbar. Then the green bars went away and the “tiny box” disappeared, as well as the window for combofix in the taskbar. Waited a minute or so and nothing appeared to be happening. So I double clicked combofix again and the same pattern started. I wonder now if combofix was still running from the first time I double clicked it, but it wasn’t giving me any indication it was actually running behind the scenes.
    I noticed that even though I told ccleaner to uninstall AVG, that there was still an icon in my toolbar for AVG, so I tried to run ccleaner to uninstall it again and got a message that AVG was not installed. Found that weird as there was still an icon there, so I rebooted, saw the icon still there and decided to try again. Combofix will not run.
    Ok, ran an uninstaller from AVG and totally got rid of AVG, then tried combofix again and it ran. It asked me to download the windows recovery console, popped a few windows up for me to accept and at one point Zonealarm asked permission to allow access and I chose yes. Combofix then ran and generated a report. I never saw any windows showing what stage combofix was at (as per the screen shots on the “how to use combofix” page).

    After running MGTools I never saw the command Prompt window that had the image "GetLogs-Final.jpg" like the instructions said so I looked online for others having the same problem and thought I found the solution by running getlogs.bat Well, I double clicked that and for a micro second, what looked like a command window opened up and that was it. Nothing else happened and no logs to be found anywhere. Shut down the computer and then tried to get into safe mode, but had the problem again with my desktop not showing up. Shut down again and just kept hitting f8 constantly, hoping it would boot into safemode. It wouldn’t. Shut down again, and plugged in the cables for my 2nd monitor. (each cable to the computer has a splitter on it so I can run 4 monitors ie 1 and 4 on one plug in, 2 and 3 on the other. Monitor 3 is set as my primary monitor. Well, this time I plugged in monitor 3 and monitor 1 and turned on both monitors. Monitor one now showed my desktop and I was able to get into safemode before the desktop came up. I then ran MGtools from safemode and the window popped up asking if I wanted to allow Hijackthis to run. I clicked twice on I accept and it ran and generated the zip file with logs.



    At this time the only known problem I can see is the oddity of my main monitor not showing my desktop most of the time when I turn my computer on, or reboot. When windows shuts down for a reboot, I can hear the monitor turn off, like it has lost signal connection to the computer. The green light on the monitor which indicates it is energized/working goes from green to yellow and I can hear a sound like the energy is leaving the monitor or like it is degaussing. I wait long enough for windows to have rebooted and still no sign that the monitor is working. So I push in the power button and it goes from yellow to active green and I am shown not my desktop but a message saying “monitor working, no signal”. So then I have to fart around with unplugging and replugging in the monitor cable into the back of the computer. Sometimes this works, sometimes not. I would say this is not a problem in the monitor itself as I can plug in my old computer and use the same monitor and it starts right up, no problems. Any ideas on that?


    Thanks again for the speedy and thorough help! :)

    Phil

    PS See next post for MGTOOLS log
     

    Attached Files:

  4. philber

    philber Private E-2

    Re: Computer compromised or coincidental to hotmail account being hijacked & virus fo

    Posting the MGTOOLS log here, as well as the original MBAM log from the first time I ran it. That was a few days prior to contacting MajorGeeks for help when I realized I might be infected with something. I am also including a log file from SAS, which I ran before receiving your first reply and details on how to go about clearing my computer per the standard steps. Figured since they both cleared out some malware, it would be good to see what they caught in their scans.
     

    Attached Files:

  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Re: Computer compromised or coincidental to hotmail account being hijacked & virus fo

    I am not finding any malware in your logs. If you had an issue with Hotmail, you need to use a different computer and change your password. Then read this:
    http://blogs.msdn.com/b/securitytipstalk/archive/2010/07/07/hotmail-hacked-take-these-steps.aspx

    Any other issues you are having should be addressed in the software or hardware forums.

    Since you are not having any malware problems, it is time to do our final steps:

    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.We recommend them for doing backup scans when you suspect a malware infection.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.


    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.

    10. After doing the above, you should work thru the below link:




    Support MajorGeeks with Geek Wear!
     
  6. philber

    philber Private E-2

    Re: Computer compromised or coincidental to hotmail account being hijacked & virus fo

    Thanks Tim!
     
  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Re: Computer compromised or coincidental to hotmail account being hijacked & virus fo

    You are most welcome. Safe surfing. :)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds